Image of the glider from the Game of Life by John Conway
Skip to content

Encrypted Mutt IMAP/SMTP Passwords

Rather than storing your IMAP and SMTP passwords in plain text on disk, you can store them encrypted using GnuPG, OpenSSL, the GNOME Keyring, or any other method of password storage encryption. It still requires a "master password" from you to decrypt the file(s) on the fly, and set the appropriate passwords, but then it will remain in RAM in plain text for the duration Mutt is running, and no worries about the password in plain text going to disk.

Here's how I set mine up using my GnuPG key. First, I created a ~/.mutt/passwords file. The file is in plain text. Before encrypting it, here are its contents:

set imap_pass="password"
set smtp_pass="password"

I then encrypt that file with the following command:

% gpg -r your.email@example.com -e ~/.mutt/passwords
% ls ~/.mutt/passwords*
/home/user/.mutt/passwords /home/user/.mutt/passwords.gpg
% shred ~/.mutt/passwords
% rm ~/.mutt/passwords

The last two commands are to ensure that the temporary file you created for encryption is securely wiped from the disk using the GNU Shred utility. Now, you should only have an encrypted binary data file that contains your passwords. All that is left is to configure Mutt to decrypt them when starting up. You can set that easily in your Muttrc:

source "gpg -d ~/.mutt/passwords.gpg |"

The string is just a standard string. Also, it's important to have "|" at the end of the command, to pipe the output to Mutt, so it can be appropriately sourced.

At this point, you should be able to launch Mutt, be asked for the passphrase for your private GnuPG key, and it should log you in to your IMAP account. You should also be able to send mail as normal, logging automatically into your SMTP account. The only time you are asked for a password, is your GnuPG passphrase when starting Mutt. If your "gpg-agent" is already running, and you've configured GnuPG to use the agent and added your private key to it, then starting Mutt won't ask you for your key passphrase, and will use the agent instead.

Other than temporarily creating the plain text file to encrypt, which stores your passwords, and which you promptly and securely shred later, your IMAP/SMTP passwords for your remote account are never on disk in plain text.

Happy encrypted hacking!

{ 5 } Comments

  1. sam using Google Chrome 16.0.912.63 on Windows 7 | January 8, 2012 at 6:33 am | Permalink

    muttrc also supports back-ticks. I have a small shell script that turns off local echo asks for my password, turns on local echo and then echos it as it exits.

    set smtp_pass=`/home/sam/bin/muttpasswd`

    #!/bin/bash

    read -s -pPassword: P
    echo $P

    Hope this helps.

  2. Benjamin Kerensa using Google Chrome 15.0.874.120 on Ubuntu 64 bits | January 8, 2012 at 10:14 pm | Permalink

    I wonder if Thunderbird stores passwords in plaintext =o now I'm concerned

  3. vontrapp using Google Chrome 14.0.835.186 on GNU/Linux 64 bits | January 27, 2012 at 11:33 pm | Permalink

    There's a very handy vim plugin that does gpg very nicely, taking care to not store anything to disk and other precautions so you don't have to rely on shred. Additionally shred doesn't really work as intended with journaled filesystems, iirc.

    I use the one by markus braun
    http://www.vim.org/scripts/script.php?script_id=661
    There's another which I know nothing of by james mccoy

    Once you have the plugin plopped into the ~/.vim/plugins directory, simply edit the .gpg file:
    vim ~/.mutt/private.gpg

    Enter your gpg uid (recipient address) in the top buffer and close it. Then edit the bottom buffer. vim will encrypt with gpg any time it writes to disk, and it turns off viminfo and swapfiles, too, so you don't leak anything.

  4. Tom Dickson-Hunt using Google Chrome 18.0.1025.142 on Ubuntu 64 bits | April 23, 2012 at 9:48 pm | Permalink

    Very nice. I like this a lot.

    A note: if you've got a recent Emacs, then you don't have to bother with saving, shredding, etc.; simply find the new file passwords.gpg, type in its contents, and save, and Emacs will automatically encrypt it without ever writing plaintext to disk.

  5. jL using Debian IceWeasel 17.0.9 on GNU/Linux | September 20, 2013 at 1:05 pm | Permalink

    Thanks a lot, very helpful

{ 2 } Trackbacks

  1. Aaron Toponce : Encrypt Your Irssi Config | February 28, 2012 at 7:30 am | Permalink

    [...] Irssi as my client of choice, AND the fact that others have asked me about it after blogging about encrypting your IMAP/SMTP passwords with Mutt, I figured this was an appropriate [...]

  2. [...] http://pthree.org/2012/01/07/encrypted-mutt-imap-smtp-passwords/ Leave a Comment TrackBack URI [...]

    [WORDPRESS HASHCASH] The comment's server IP (74.200.243.217) doesn't match the comment's URL host IP (72.233.69.6) and so is spam.

Post a Comment

Your email is never published nor shared.

Switch to our mobile site